Use case 7: Configure load balancing in DSR mode by using IP Over IP

You can configure your NetScaler appliance to use direct server return (DSR) mode across Layer 3 networks by using IP tunneling, also called IP over IP configuration. As with standard load balancing configurations for DSR mode, this allows servers to respond to clients directly instead of using a return path through the NetScaler appliance, improving response times and throughput. As with standard DSR mode, the NetScaler appliance monitors the servers and performs health checks on the application ports.

With IP over IP configuration, the NetScaler appliance and the servers do not need to be on the same Layer 2 subnet. Instead, the NetScaler appliance encapsulates the packets before sending them to the destination server. After the destination server receives the packets, it decapsulates the packets, and then sends its responses directly to the client.

To configure IP over IP DSR mode on your NetScaler appliance, you must do the following:

Configure a load balancing virtual server

Configure a virtual server to handle requests to your applications. Assign a service type of ANY and set the forwarding method to IPTUNNEL. Optionally, configure the virtual server to operate in sessionless mode. You can configure any load balancing method that you want to use.

To create and configure a load balancing virtual server for IP over IP DSR by using the command line interface

At the command prompt type the following command to configure a load balancing virtual server for IP over IP DSR and verify the configuration:

add lb vserver <name> serviceType <serviceType> IPAddress <ip> Port <port> -lbMethod <method> -m <ipTunnelTag> -sessionless <sessionless>

show lb vserver <name>

Example:

In the following example, we have selected the load balancing method as sourceIPhash and configured sessionless load balancing.

add lb vserver Vserver-LB-1 ANY 10.102.29.60 * -lbMethod SourceIPHash -m IPTUNNEL -sessionless enabled

To create and configure a load balancing virtual server for IP over IP DSR by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create a virtual server, and specify Redirection Mode as IP Tunnel Based.

Configure services for IP over IP DSR

After creating your load-balanced server, You must configure one service for each of your applications. The service handles traffic from the NetScaler appliance to those applications, and allows the NetScaler appliance to monitor the health of each application.

You assign a service type of ANY and configure it for USIP mode. Optionally, you can also bind a monitor of type IPTUNNEL to the service for tunnel-based monitoring.

To create and configure a service for IP over IP DSR by using the command line interface

At the command prompt, type the following commands to create a service and optionally, create a monitor and bind it to the service:

add service <serviceName> <serverName> <serviceType> <port> -usip <usip>

add monitor <monitorName> <monitorType> -destip <ip> -iptunnel <iptunnel>

bind service <serviceName> -monitorName <monitorName>

Example:

In the following example, we are creating a monitor of type IPTUNNEL:

add monitor mon-1 PING -destip 10.102.29.60 -iptunnel yes
add service Service-DSR-1 10.102.30.5 ANY * -usip yes
bind service Service-DSR-1 -monitorName mon-1

To configure a monitor by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Create a monitor, and select IP Tunnel.

To create and configure a service for IP over IP DSR by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services.
  2. Create a service and, in Settings, select Use Source IP Address.

To bind a service to a load balancing virtual server by using the command line interface

At the command prompt type the following command:

bind lb vserver <name> <serviceName>

Example:

bind lb vserver Vserver-LB-1 Service-DSR-1

To bind a service to a load balancing virtual server by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Open a virtual server, and click in the Services section to bind a service to the virtual server.

Using the Client IP address in the Outer Header of Tunnel Packets

The NetScaler supports using the client IP address as the source IP address in the outer header of tunnel packets related to direct server return mode using IP tunneling. This feature is supported for DSR with IPv4 and DSR with IPv6 tunneling modes. For enabling this feature, enable the use client source IP address parameter for IPv4 or IPv6. This setting is applied globally to all the DSR configurations that use IP tunneling.

To use client IP address as the source IP address on outer header of IPv4 tunnel packets by using the CLI At the command prompt, type:

set iptunnelparam -useclientsourceip [YES | NO]

-  show iptunnelparam

To use client source IP address as the source IP address on outer header of IPv6 tunnel packets by using the CLI At the command prompt, type:

set ip6tunnelparam -useclientsourceip [YES | NO]

-  show ip6tunnelparam

Following is a sample load balancing configuration in DSR mode using IPv4 tunneling.   LBVS-IPIP-1 is the load balancing virtual server, and services SERVICE-DSR-IPIP-1 and SERVICE-DSR-IPIP-2 are bound to LBVS-IPIP-1.

> set iptunnelparam -useclientsourceip YES


Done

>add service SERVICE-DSR-IPIP-1 192.0.2.91 ANY * -usip yes


Done

> add service SERVICE-DSR-IPIP-2 192.0.2.92 ANY * -usip yes


Done

>add lb vserver LBVS-IPIP-1 ANY 203.0.113.9 * -m IPTUNNEL


Done

>bind lb vserver LBVS-IPIP-1 Service-DSR-1


Done

>bind lb vserver LBVS-IPIP-1 Service-DSR-2


Done

Decapsulator configuration

  • When a NetScaler appliance is used as a decapsulator, an IP tunnel must be created in the NetScaler appliance. For details, see Configuring IP Tunnels.

     Example configuration:

add lb vserver v1 any 1.1.1.1 * -m IPTUNNEL

add service s1 2.2.2.2 ANY *

bind lb vserver v1 s1

add iptunnel tun1 <snip_in_encap> netmask *

add ns ip 1.1.1.1 255.255.255.255 –type vip –arp disabled

add lb vserver v1 any 1.1.1.1 *

add service s1 <actualserverip> ANY *

bind lb vserver v1 s1
  • When a backend server is used as a decapsulator, the backend configuration varies depending on the server type. The steps involved in configuring a backend server as a decapsulator are;
  1. Configure a loop back interface.
  2. Add a route through tunnel interface.

Note: Make sure that the tunnel modules are installed in the system.

    Example configuration:

In this example, 1.1.1.1 is the NetScaler virtual IP (VIP) address and 2.2.2.2 is the backend server IP address.

The VIP address is configured in the loopback interface and a route is added through the tunnel interface. The modprobe ipip command is used for enabling the tunnel interface.

add lb vserver v1 ANY 1.1.1.1 80 -m IPTUNNEL

add service svc1 2.2.2.2 ANY 80 -usip YES -useproxyport NO

bind lb vserver v1 svc1

ifconfig lo inet 1.1.1.1 netmask 255.255.255.255

modprobe ipip

echo 1 > /proc/sys/net/ipv4/conf/tunl0/arp_ignore

echo 2 > /proc/sys/net/ipv4/conf/tunl0/arp_announce

ifconfig tunl0 1.1.1.1 netmask 255.255.255.255 up

route add -host 1.1.1.1 dev tunl0

Use case 7: Configure load balancing in DSR mode by using IP Over IP